Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009."— Presentation transcript:

1 Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009

2 02/09/092 RCE  Reverse (Code) Engineering – “reversing”  What is it?  Why is it done?  Malware research & defence  System interoperability requirements  Review and audit of software/security system  Why is it useful to security specialists?  “Learn the principles”

3 02/09/093 RCE  Required knowledge/skills (x86)  Platform knowledge – stack, registers etc  “Some” assembly language  C/C++ & as many other languages as possible  Operating system mechanisms  win32api  Toolset (debugger, disasm, hex editor…)  Mindset (patterns, logic)

4 02/09/094 Complex math RCE  Imagine a strong protection mechanism Asymmetric Shareware-style crippled features Symmetric Checksums

5 02/09/095 RCE  Reversing demonstration

6 02/09/096 RCE  After the demonstration, recap: 1.Analysed executable 2.Set breakpoints on likely API calls 3.Traced up the call stack 4.Analysed the code 5.Found the good boy/bad boy “switch” 6.Patched the jump “live” to test 7.Converted RVA to file offset, patched file  1 byte patch

7 02/09/097 Protection  Imagine a strong protection mechanism again  License key system  CRC  Anti-debugging techniques  Encryption

8 02/09/098 Protection  Encryption for protection  Data must be decrypted before use  Code must be decrypted before execution  UPX (packer), Armadillo, Themida…  Can be made very hard, but not impossible  Remember the jump loop – EB FE  Generics – break one, break all  Homebrew is risky – “learn the principles”

9 02/09/099 Protection  Some obfuscation techniques:  Encode obvious “beacon” strings  Avoid win32api/library functions:  bpx MessageboxA  Use alternative functions/mechanisms  E.g.: SetWindowPos instead of ShowWindow  Roll your own api/GUI functions  Can’t break on GetWindowText if you don’t use it!  Hide code within the executable  Self modifying code, PE sections etc

10 02/09/0910 Protection  Some anti-debugger techniques  Deliberate exceptions (code in SEH)  Self-debugging (can’t “stack” debuggers)  Timers and counters  Alter DR0 – DR7 hardware debug registers  IsDebuggerPresent()  Check for/attack known debugger processes, windows, services, drivers… (Starforce)  http://www.securityfocus.com/infocus/1893

11 02/09/0911 RCE  Why are these low-level technical techniques important?  “Learn the principles”  Your first job: consultant to betting company about to release online gambling game  The basics:  Internet security  Server security  Data security  But… what about the end-user software?

12 02/09/0912 Review  Thank you!  Questions  Comments  Items to review  Further study

Download ppt "Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009."

Similar presentations

Pokas x86 Emulator for Generic Unpacking By Amr Thabet

Pokas x86 Emulator for Generic Unpacking By Amr Thabet
Anti-Cheating Mechanisms for Computer Games Michael Rudolph Jason Cook.

Anti-Cheating Mechanisms for Computer Games Michael Rudolph Jason Cook.
Software Part 4  Software 2 Software Reverse Engineering (SRE)

Software Part 4  Software 2 Software Reverse Engineering (SRE)
CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso,

CS266 Software Reverse Engineering (SRE) Applying Anti-Reversing Techniques to Machine Code Teodoro (Ted) Cipresso,
Systems Software.

Systems Software.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
1BA3 G Lacey Lecture 51 Evaluating mathematical expressions  How do computers evaluate x + y or any mathematical expression ?  Answer : “Reverse Polish.

1BA3 G Lacey Lecture 51 Evaluating mathematical expressions  How do computers evaluate x + y or any mathematical expression ?  Answer : “Reverse Polish.
DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa.

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 9. Técnicas anti-ingeniería inversa.
Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?

Chapter 5 Anti-Anti-Virus. Anti-Anti-Virus  All viruses self-replicate  Anti-anti-virus means it’s “openly hostile” to AV  Anti-anti-virus techniques?
Lab6 – Debug Assembly Language Lab

Lab6 – Debug Assembly Language Lab
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.

.NET IL Obfuscation Presented by: Sarath Chandra Dorbala.
© 2007 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, HASP, HASP SRM, HASP.

© 2007 Aladdin Knowledge Systems Ltd. All rights reserved. Aladdin, Aladdin Knowledge Systems, the Aladdin Knowledge Systems logo, HASP, HASP SRM, HASP.
Creating Secret Messages. 2 Why do we need to keep things secret? Historically, secret messages were used in wars and battles For example, the Enigma.

Creating Secret Messages. 2 Why do we need to keep things secret? Historically, secret messages were used in wars and battles For example, the Enigma.
Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.

Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
SE571 Security in Computing

SE571 Security in Computing
CS 104 Introduction to Computer Science and Graphics Problems Software and Programming Language (2) Programming Languages 09/26/2008 Yang Song (Prepared.

CS 104 Introduction to Computer Science and Graphics Problems Software and Programming Language (2) Programming Languages 09/26/2008 Yang Song (Prepared.
OllyDbg Debuger.

OllyDbg Debuger.

Similar presentations

Ads by Google